dark reading threat intel and cybersecurity news

Ransomware gangs are hitting the industrial sector hard — and especially manufacturing companies, with significant spikes in cyberattack activity against US organizations spotted in the third quarter. Meanwhile, emerging ransomware groups are bursting onto the scene, threatening to push the rate of attacks up even higher.

According to a Dragos Q3 analysis of ransomware attacks on industrial organizations, 36% of the recorded cases globally hit North America (46 incidents). This is a significant 10% increase over last quarter, when a quarter of cases affected the region.

However, the analysis also found that the rate of attacks globally remained flat quarter over quarter — 128 incidents for Q3 vs. 125 in Q2.

The majority (68%) of observed incidents were aimed at the manufacturing sector. Out of the confirmed attacks (i.e., those publicly reported, seen in the firm’s telemetry, or confirmed on the Dark Web), 88 were against that segment, especially those producing metal products (12 attacks).

Nine percent of attacks targeted the food and beverage sector (12 incidents), followed by oil and natural gas (6%, or eight incidents) and the energy and pharmaceuticals sectors (collectively making up 10% of attacks, with seven and six incidents respectively). The chemical, mining, engineering, and water and wastewater systems segments had just one attack each.

In terms of the actors on the industrial stage, the LockBit gang was behind more than a third of all global incidents (35%), while some other known names focused on the energy sector (Ragnar Locker and BlackCat/AlphaV, notably). But the quarter also saw the rise of some emerging actors, like Sparta Blog, BianLian, Donuts, Onyx, and the slow-burning Yanluowang.

In all cases, various groups seemed to have specialties, Dragos noted, including:

  • Ragnar Locker has been targeting mainly energy.
  • Cl0p Leaks has been targeting only water and wastewater.
  • Karakurt has targeted only manufacturing in Q3, while in Q2, it only targeted transportation entities.
  • LockBit 3.0 is the only group that targeted chemicals, drilling, industrial supplies, and interior design.
  • Stormous has only targeted Vietnam.
  • Lorenz has only targeted the United States.
  • Sparta Blog has only targeted Spain.
  • Black Basta and Hive mainly targeted the transportation sector.

Going forward, Dragos researchers warned that more new ransomware groups will appear in the next quarter, as either new or reformed ones, due to the changes in ransomware groups and the leaking of the LockBit 3.0 builder — all of which could lead to greater attack volumes.

“[We have] high confidence that ransomware will continue to disrupt industrial operations, whether through the integration of [operational technology] OT kill processes into ransomware strains, flattened networks allowing for ransomware to spread into OT environments, or through precautionary shutdowns of OT environments by operators to prevent ransomware from spreading to OT systems,” Dragos researchers said in the Wednesday report.